Share via


Audit Special Logon

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates audit events when:

  • A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.

  • A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=120183).

Users holding special privileges can potentially make changes to the system. It is recommended to track their activity.

Event volume: Low

Default: Success

If this policy setting is configured, the following event is generated. The event appears on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event message

4964

Special groups have been assigned to a new logon.